LevelBlue Generic Data Source

The LevelBlue Generic Data Source is a predefined view of events which displays log data when the USM Anywhere is unable to match them with any BlueApps based on hints and manual associations.

This view works the same as the events list view. On the left you can find the search and filter options. In the upper side of the page, you can see any filters you have applied, and you have the option to create and select different views of the events. The main part of the page is the actual list of events. Each row describes an individual event. If you want to analyze the data and see the additional columns without having to scroll left and right, you can maximize the screen and hide the filter pane. Click the

icon to hide the filter pane. Click the

icon to expand the filter pane. The following table lists the fields you see on the page. List of the Default Columns in the LevelBlue Generic Data Source

Column / Field Name	Description
Event Name	Name of the event.
Time Created	The date and time of the creation of the event. The displayed date depends on your computer’s time zone.
OTX	Indicate if it is an event or not. If the icon displays as active, click it to go to OTX.
Reporting Device	The asset that sent the .
Source Asset	Hostname or IP address of the (with the national flag if the country is known) that initiates the event. Important: If you want to create a rule, use the Source Name or Source Asset ID field instead of using this field.
Destination Asset	Hostname or IP address of the host (with the national flag if the country is known) that receives the event. Important: If you want to create a rule, instead of using this field, use the Destination Name or Destination Asset ID fields.
Sensor	Name of the USM Anywhere Sensor detecting the event. The type of sensor is also displayed below the sensor name.
Username	Username associated with the event.

The Reporting Device column includes the assets that sent the syslog. Next to the asset name of this column, click the

icon to access the following options. Your access to these options may vary based on your user role. See Role-Based Access Control (RBAC) in USM Anywhere for more information:

Assign plugin: See Adding BlueApps to an Asset for more information.
Full Details: See Viewing Assets Details for more information.
Configure Asset: See Editing Assets for more information.
Delete Asset: See Deleting the Assets for more information.
Assign Credentials: See Managing Credentials in USM Anywhere for more information.
: This option displays depending on the USM Anywhere Sensor associated with the asset. See Running Authenticated Asset Scans for more information.
Scan with BlueApp: This option enables you to run an asset scan through an BlueApp. See Running Asset Scans Using a BlueApp for more information.
Run Scan: This option displays depending on the USM Anywhere Sensor associated with the asset. See Running Asset Scans for more information.
: This option opens the Assets Details page. The Configuration Issues tab is selected in the page. See Viewing Assets Details for more information.
Vulnerabilities: This option opens the Assets Details page. The Vulnerabilities tab is selected in the page. See Viewing Assets Details for more information.
Alarms: This option opens the Assets Details page. The Alarms tab is selected in the page. See Viewing Assets Details for more information.
Events: This option opens the Assets Details page. The Events tab is selected in the page. See Viewing Assets Details for more information.

Next to the source and destination asset name, click the

icon to access the following options. Your access to these options may vary based on your user role. See Role-Based Access Control (RBAC) in USM Anywhere for more information:

Add to current filter: Use this option to add the asset name as a search filter. See Searching Events.
Look up in OTX: This option searches the IP address of the source asset in the Open Threat Exchange page. See Using OTX in USM Anywhere
Add asset to system: Use this option to create the asset in the system. See Adding Assets.

You can configure the view you want for the list of events; see Views for more information. Click Generate Report to open the Configure Report dialog box. See Create an Events Report for more details. The graph above the events list displays the amount of events in a period of time. You can change this period by clicking Last 24 Hours filter. Click the

icon to access these options:

Actions / User: Reports USM Anywhere account activity based on specific account users and summarized by Create, Read, Update, and Delete categories.
Count / Time: Provides Reports USM Anywhere account activity based on specific account users and summarized by Create, Read, Update, and Delete categories.
Auth / User: Reports authorization actions.
Source Map: Provides the number of events associated with each country on a global map.

Click the

icon to bookmark an item for quick access.

Note: You can view your bookmarked items by going to the secondary menu and clicking the

icon. This will display all of your bookmarked items and provide direct links to each of them.

Click the

icon to filter your search by row fields. See Filtering Events by Row Fields for more information. You can choose the number of items to display by selecting 20, 50, or 100 below the table. You can classify some columns by clicking the icons to the right side of the heading. You can sort the item information in ascending or descending order.

Configuring Columns

Within the page, you can configure the columns and fields that display in the list view. You can also save your configuration settings for later use. To configure your columns

From the LevelBlue Generic Data Source list view, click the icon. The Manage Columns dialog box opens.
Search the columns you want to have in the list view by using the search field.
Use the and icons to select or deselect from the available columns.
You can order the columns by clicking and dragging the column to the desired place.
Click Apply.

Note: If you generate a report when you have set custom columns, your report keeps the columns you have configured.

Important: If you want to keep your configuration, you need to save it by selecting Save View > Save As. Otherwise, your custom view is not kept when you move to another feature. See LevelBlue Generic Data Source for more information.

Views

You can configure the view you want for the list of items in the page. To create a view configuration

From the list view, click the icon.
Use the and icons to pass the items from one column to another and select the columns you want to see.
Click Apply.
If you want to delimit the search, select the filters you want to apply.
Go to Save View > Save As. The Save Current View dialog box opens.
Enter a name for the view.
(Optional) Select Share View if you want to share your view with other users.
Click Save. The created view is already selected.

Note: Only users in the Analyst, Manager, or Investigator roles can create a view configuration.

To select a configured view

From the ist view, click View above the filters.
Click Saved Views, and then select the view you want to see.
Note: A shared view includes the icon next to its name.
Click Apply.

To delete a configured view

From the LevelBlue Generic Plugin list view, click View above the filters.
Click Saved Views, and then click the icon next to the saved view you want to delete. A Settings Delete dialog box opens to confirm the deletion.
Click Accept.
Important: The icon does not display if the view is selected.

Note: Only Manager and Analyst users can delete any configured view. You can only delete the views you have created in an Investigator role.

USM Anywhere™

USM Central™

Automated Policy Manager

LevelBlue Generic Data Source

Configuring Columns

Views

USM Anywhere™

USM Central™

Automated Policy Manager

​Configuring Columns

​Views

Configuring Columns

Views